Re: setkey -- twofish-cbc unsupported algorithm

To: Pierre-Philipp Braun <pbraun%nethence.com@localhost>
Subject: Re: setkey -- twofish-cbc unsupported algorithm
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 21 Apr 2020 09:05:59 -0400

Pierre-Philipp Braun <pbraun%nethence.com@localhost> writes:

> Hello, I was willing to benchmark and compare a few IPSEC settings and
> I noticed twofish-cbc does not seem to be available, although it is
> referenced in the manual.  Seen on NetBSD/amd64 9.0.  Is this a known
> issue?  I tried with 128 and 256 bit keys, same result.  No probem
> with blowfish-cbc and cast128-cbc.

I am really unclear on this.  Twofish was an AES finalist, and it seems
not to be used so much now.

I would suggest reading the sources for setkey to see if twofish
appears, and for the kernel.  Also the cvs logs.  If it turns out that
we removed twofish, or it was never there, and setkey(1) lists it, I can
fix it.

Also, as you test, you may want to look into whether the kernel is using
AES instructions, with or without /dev/crypto offload.  I have not paid
attention to these details in quite a few years.  As wikipedia notes,
while twofish and rijndael were competitive in speed, twofihs is slower
on computers with AES hardware support!

Follow-Ups:
- Re: setkey -- twofish-cbc unsupported algorithm
  - From: Pierre-Philipp Braun

References:
- setkey -- twofish-cbc unsupported algorithm
  - From: Pierre-Philipp Braun

Prev by Date: Re: DNSSEC vs netbsd-8/sparc?
Next by Date: Re: DNSSEC vs netbsd-8/sparc?
Previous by Thread: setkey -- twofish-cbc unsupported algorithm
Next by Thread: Re: setkey -- twofish-cbc unsupported algorithm
Indexes:

Home | Main Index | Thread Index | Old Index